North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Wow, AS7007!
>-----Original Message----- >From: Stephen A Misel [SMTP:[email protected]] >Sent: Friday, April 25, 1997 12:53 PM >To: [email protected] >Subject: Wow, AS7007! > >I happened to be in one of our 7505 routers this afternoon when POP -- all >of a sudden most of the internet disappeared! I immediately thought it was >me, but looked around and saw this AS7007 broadcasting MY routes! > >[...] > >Correct me if I'm wrong, but: > > (1) We're going to read about this in EVERY computer magazine, newspaper >and TV as "the end of the internet?" > >Probably. It's newsworthy in that it punctuates the statement "Nearly anyone >with a BGP router in hand can instantly core-dump the global routing tables" > > (2) Access lists by backbone providers *should* have prevented this. > >Mostly. An ISP, whether large or small that BGP's with customers can indeed >do distribute ACL's both on AS heard, and routes learned, including masks. >You can easily re-announce or announce only what you want, or not announce or >re-announce routes that are inconsistent with your policy or ACL's. > > (3) Does or does not the RADB and other routing registries (MCI's, etc) >prevent this? > >It helps, but all you need are a few ingress' that do not filter and you can >pollute enough of the core to hose it very nicely indeed. > >I bet this hole will be patched up real soon! > >I don't think so. I'm not sure that this is as much a "hole" as it is a >relationship and trust issue. Right now, when things go OK, the routing >policies on Net work pretty well. Unarguably, they need refining, but >all-in-all the Net still relies mostly on trust, as it has from the >beginning. If we simply take all trust away, then the current topology would >not work, and may not be able to be made to work quickly enough, without even >more disasters. > >This exact thing has happened before, and potentially will happen again >because all it can take is one typo under 'router bgp xxxxx' at the right >place, in the right network, and the Internet can go quickly to /dev/null. >This is the trust factor. We all rely on the fact that router-jocks won't >typo, will filter where appropriate, and will educate rookies prior to >whispering the enable passwd to them. > >A few things would help, IMO - All BGP should be authenticated, and all >neighbors should be ACL'd. > >Now after spending 4 hours announcing more specifics to cover the bogon >routes so we could play Internet today for a bit, it's time to be a >good-netcitizen and see if I can't re-CIDR myself. Then it's off to the >Scotch locker! :-) > > >Best regards, > >Dave Van Allen - You Tools Corporation/FASTNET(tm) >[email protected] (610)289-1100 http://www.fast.net >FASTNET - PA/NJ/DE Business Internet Solutions > - - - - - - - - - - - - - - - - -
|